=== I get emails containing "Here are/is more information about <ip>" and then nothing ===

−

{{Fail2ban}} scans log files like <tt>/var/log/pwdfail</tt> or <tt>/var/log/apache/error_log</tt> and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. {{Fail2ban}} can read multiple log files such as sshd or Apache web server ones.

+

You are using a mail-whois*/sendmail-whois* action and you don't have the ''whois'' executable installed.

−

+

−

=== Is {{Fail2ban}} free software? ===

+

−

+

−

{{Fail2ban}} is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

+

−

+

−

=== What do you need to run {{Fail2ban}}? ===

+

−

+

−

Take a look at [[Requirements]] section

+

−

+

−

=== What does the version number of {{Fail2ban}} mean? ===

+

−

+

−

The structure of the version number is ''major.minor.revision''. Currently the ''major'' number is 0. The policy for ''minor'' is:

+

−

+

−

* '''odd numbers''' (0.5, 0.7, etc) are development versions.

+

−

* '''even numbers''' (0.6, 0.8, etc) are stable versions.

+

−

+

−

New features, code refactoring, configuration or API changes are done mainly in development versions. Stable versions contains security fixes and small improvements that have few chance of breaking something.

+

−

+

−

Revisions are named ''alpha'', ''beta'', ''release candidate'' and ''stable''. Stable versions with even minor versions are always named ''stable''. Development versions are first called ''alpha'', then when stability improves, ''beta'' and finally ''release candidate'' when the application is close to stabilization.

+

−

+

−

=== How to ask for help or submit a bug report or a feature request? ===

+

−

+

−

First of all, try to find an answer on this website. Read the [[FAQ]], [[Manual]] and visit [[HOWTOs]]. Search the [http://sourceforge.net/mail/?group_id=121032 mailing lists] archives and look at the [http://sourceforge.net/tracker/?group_id=121032 trackers]. If you did not found any answer, subscribe to this [https://lists.sourceforge.net/lists/listinfo/fail2ban-users mailing list] and ask your question there. Registration is required in order to avoid spam.

+

−

+

−

If you are convinced that you found a bug, you can directly create a new ticket [http://sourceforge.net/tracker/?group_id=121032&atid=689044 here].

+

−

+

−

If you want to submit a feature request, create a new ticket [http://sourceforge.net/tracker/?group_id=121032&atid=689047 here].

+

−

+

−

In both cases, please check first that no similar bug or request has already been submitted.

+

−

+

−

In any case, when asking for support, please provide the following information:

+

−

+

−

* The version of {{Fail2ban}} you are running (use '''-V''' or '''--version''')

It is possible to run {{Fail2ban}} without installation. {{Fail2ban}} is written in Python and does not need to be compiled. If you want to quickly test {{Fail2ban}} or if you have it already installed and want to test a new version, please follow these steps (for 0.7.x and above):

+

−

+

−

* [[Downloads|Download]] a source tarball (release or nightly).

+

−

* Unpack it somewhere on your system.

+

−

* You should have a directory named ''fail2ban-*''. Go into this directory.

+

−

* Edit the configuration in ''config/''.

+

−

** Change the option '''socket''' in ''fail2ban.conf''.

+

−

** Change the option '''logtarget''' in ''fail2ban.conf''.

+

−

** Do not forget to edit ''jail.conf'' too.

+

−

* Use ''fail2ban-client'' to start ''fail2ban-server''. Do not forget to tell it where to find the configuration:

+

−

./fail2ban-client -c config/ start

+

−

* Always use the '''-c''' option for other calls to ''fail2ban-client''. Do not forget the '''./''' before too. Here is another example:

+

−

./fail2ban-client -c config/ status

+

−

* Shutdown {{Fail2ban}} with:

+

−

./fail2ban-client -c config/ stop

+

−

+

−

People who wants to hack on {{Fail2ban}} can also use this procedure in order to quickly test their changes.

+

−

+

−

== '''Configuration''' ==

+

−

+

−

=== What is the main configuration file for {{Fail2ban}}? ===

+

−

+

−

{{Fail2ban}} configuration process is rather simple. There is only one configuration file, where {{Fail2ban}} can be whole configurated, this file is located at:

+

−

<tt>/etc/fail2ban.conf</tt>

+

−

+

−

You are able to edit this file using any editor we want: vim, emacs, joe, ae...

+

−

+

−

Configuration file must be edited by '''root'''.

+

−

+

−

=== How can {{Fail2ban}} be configured? ===

+

−

+

−

This step is fully detailed at [[HOWTOs]] chapter

+

−

+

−

=== Can I exclude failed logins for selected users from resulting in a ban? ===

+

−

+

−

(I don't know, perhaps that's a feature request.)

+

−

+

−

Edit: Cause fail2ban didn't know anything of the username format logged in the specific file(s) (if usernames even get logged), it is only possible to exclude selected users in the regex of the service section.

+

−

+

−

== '''Security''' ==

+

−

+

−

=== What do I have to consider when using {{Fail2ban}}? ===

+

−

+

−

Especially on systems which provide SSH/CGI/PHP services to unknown users, it is possible to block other users from ssh and probably other services. How would a user do so? The user could issue:

Or the malicious user may write via PHP's <tt>openlog()</tt>/<tt>syslog()</tt> to syslog.

+

−

+

−

'''Solution #1''': This security hazard can be handled via ownership/permissions of ''/dev/log'', which allows logging to all the users by default. Just add a group log, add all daemons and root to that group and be happy.

+

−

+

−

=== What about log injection? ===

+

−

+

−

{{Fail2ban}} parses log files of other services and thus it can be vulnerable to log injection. Daniel B. Cid describes this kind of issues in [http://www.ossec.net/en/attacking-loganalysis.html Attacking Log analysis tools]. I strongly suggest that you read this article. We will always try to provide safe configuration files. However, you can use '''fail2ban-regex''' to test your configuration files against forged log lines.

+

−

+

−

== '''Troubleshooting''' ==

+

=== I have Postfix on my system but no "mail" command. How can I get e-mail notifications? ===

=== I have Postfix on my system but no "mail" command. How can I get e-mail notifications? ===

Line 178:

Line 50:

[[Category:Documentation]]

[[Category:Documentation]]

+

+

=== Fail2ban-client is unable to contact server ===

+

Did you make sure to run fail2ban-client status using sudo?

+

+

$ fail2ban-client status

+

ERROR Unable to contact server. Is it running?

+

+

$ sudo fail2ban-client status

+

Status

+

|- Number of jail: 1

+

`- Jail list: ssh

+

+

=== Fail2ban is running but not banning SSH bruteforce ===

+

'''NB''':This example is based on a Debian system, but can be easily done on any distro.

+

+

The package is well installed:

+

+

# dpkg -l |grep fail

+

ii fail2ban 0.8.1-2 bans IPs that

+

cause multiple authentication

+

+

The service is running:

+

+

# /etc/init.d/fail2ban status

+

Status of authentication failure monitor: fail2ban is running

+

+

SSH jail is set up and ready:

+

+

# sudo fail2ban-client status

+

Status

+

|- Number of jail: 1

+

`- Jail list: ssh

+

+

SSH bruteforce logs are identified by fail2ban:

+

+

# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

+

....

+

Success, the total number of match is 30

+

+

So, check that all your logs are synchronized: all logs files (auth.log, syslog,..) must use the same time reference (if your server is not very busy, there will probably be an important difference between the output of [http://unixhelp.ed.ac.uk/CGI/man-cgi?date ]date command and the last event logged in syslog. You can force to generate a log in syslog using the [http://unixhelp.ed.ac.uk/CGI/man-cgi?logger+1 logger] command and check then with the output of date command)

'''If time reference is not the same everywhere, then fail2ban won't ban any IP!'''

+

+

If you change your timezone remember to restart syslogd so fail2ban will see the correct time in the log files.

+

+

+

Check if backend = auto. And set backend = polling. In some cases fail2ban won't be notified by gamin, but will chose to use it when auto is set.

+

+

=== Fail2ban is failing to ban VSFTPD bruteforce ===

+

'''Scenario:''' VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure

+

*'''Problem:''' PAM sends failed login information to /var/log/secure, but the remote server's IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.

'''Scenario:''' Timestamps in /var/log/vsftpd.log are in GMT instead of the local time zone.

+

*'''Problem:''' Fail2ban won't ban if the timestamps it finds don't match its idea of the current time.

+

*'''Fix:''' Add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf and restart the vsftpd service.

+

'''NB''': This will also cause file timestamps in directory listings and other timestamps displayed to clients to be in your local time zone. If this is unacceptable, then you may wish to configure fail2ban to monitory /var/log/secure, whose timestamps are in the local time zone, but this may cause other problems as described above.

I get the error "Please check the format and your locale settings"

This is a known bug. Since 0.6.1, Fail2ban uses your locale settings for date and time format. However, some daemons do not take care of locale and write their log messages using the POSIX standard. Please look at this bug for more details.

You can try to override the LANG variable:

# LANG=en_US /etc/init.d/fail2ban restart

You can get all the available locale with:

# locale -a

How do I increase verbosity?

In order to increase the verbosity of Fail2ban, use the command line option -vvv for fail2ban-client and fail2ban (only for 0.6.x). Set loglevel to 4 in /etc/fail2ban/fail2ban.conf (only for > 0.6.x).

# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
....
Success, the total number of match is 30

So, check that all your logs are synchronized: all logs files (auth.log, syslog,..) must use the same time reference (if your server is not very busy, there will probably be an important difference between the output of [1]date command and the last event logged in syslog. You can force to generate a log in syslog using the logger command and check then with the output of date command)

If time reference is not the same everywhere, then fail2ban won't ban any IP!

If you change your timezone remember to restart syslogd so fail2ban will see the correct time in the log files.

Check if backend = auto. And set backend = polling. In some cases fail2ban won't be notified by gamin, but will chose to use it when auto is set.

Fail2ban is failing to ban VSFTPD bruteforce

Scenario: VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure

Problem: PAM sends failed login information to /var/log/secure, but the remote server's IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.

Scenario: Timestamps in /var/log/vsftpd.log are in GMT instead of the local time zone.

Problem: Fail2ban won't ban if the timestamps it finds don't match its idea of the current time.

Fix: Add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf and restart the vsftpd service.

NB: This will also cause file timestamps in directory listings and other timestamps displayed to clients to be in your local time zone. If this is unacceptable, then you may wish to configure fail2ban to monitory /var/log/secure, whose timestamps are in the local time zone, but this may cause other problems as described above.